Please support our Web Development advertiser:
Featured Entry 
Sep 7th, 2005, 1:58 pm
McAfee, Inc., a leader in intrusion prevention, announced that its security services group, Foundstone Professional Services, will release a whitepaper on Microsoft ASP.NET Forms Authentication and "cookie replay" attacks. The whitepaper will be located at http://www.foundstone.com/index.htm?...hitepapers.htm. In response, Microsoft authored an MSDN article:
http://support.microsoft.com/default...b;en-us;900111.
What is a "cookie replay" attack? When authentication information is stored in a cookie, an attacker who gains access to that cookie can authenticate back to the web application.
The particular vulnerability in ASP.NET Forms Authentication, is that even if the cookie is explicitly removed, no persistent record of that is stored server-side. So, the credentials could still be used to authenticate to the web application. Also, even though cookies can have an expiration date (and always should!), ASP.NET actually uses a " forms authentication ticket" to determine if a cookie is still valid. This can allow an "expired" cookie to still be seen as valid by the ASP.NET application.
Both the Foundstone/MacAffee whitepaper, and the MSDN article, give advice for how to plug this potential security hole.
http://support.microsoft.com/default...b;en-us;900111.
What is a "cookie replay" attack? When authentication information is stored in a cookie, an attacker who gains access to that cookie can authenticate back to the web application.
The particular vulnerability in ASP.NET Forms Authentication, is that even if the cookie is explicitly removed, no persistent record of that is stored server-side. So, the credentials could still be used to authenticate to the web application. Also, even though cookies can have an expiration date (and always should!), ASP.NET actually uses a " forms authentication ticket" to determine if a cookie is still valid. This can allow an "expired" cookie to still be seen as valid by the ASP.NET application.
Both the Foundstone/MacAffee whitepaper, and the MSDN article, give advice for how to plug this potential security hole.
This blog entry was written by tgreer. It has received 2,989 views, 0 comments, and 3 linkbacks. It was promoted to featured status Sep 7th, 2005.
•
•
•
•
advertising apple blog business daniweb dell development economy email facebook firefox gaming google government hacking hardware ibm intel internet iphone ipod linux mac malware microsoft mobile mozilla mp3 music news open source privacy search security server software sony spam stocks technology trojan ubuntu video vista web windows xp yahoo youtube
All Recent Tags Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Web Development Marketplace
Related Blog Entries
- Open Web Foundation to Help Shepard Standards (7 Hours Ago)
- DNS Security Flaw In the Wrong Hands? (2 Days Ago)
- ISO Uses PDFs Too, Standardizes Format (22 Days Ago)
- Microsoft announces host of new Internet Explorer 8 security features (22 Days Ago)
- Latest Mac OS X Trojan Might Be Sign of Things to Come (24 Days Ago)
- Yahoo Mail Open—then Closed—to Hackers (28 Days Ago)
- Barack Obama is following me on Twitter! (29 Days Ago)
- Salesforce Says ‘Hey, Google, Get Onto My Cloud’ (31 Days Ago)
- Web forms are still the gateway to security hell (33 Days Ago)
- Ruby, Ruby, Ruby - Vulnerable, Vulnerable, Vulnerable (33 Days Ago)
Related Forum Threads
- Login - Get the Correct Username and Password in ASP.NET Using VB (ASP.NET)
- ASP.Net Security 101 Part 1 (ASP.NET)
- help with asp.net/JS and cookies (ASP.NET)
- Simple ASP.Net Login Page (Using VB.Net) (ASP.NET)
- My first attempt at ASP.NET... (ASP.NET)
- Forms Authorization/ Authentication using asp .net and vb .net (ASP.NET)
